[00:01.040 --> 00:07.940]  Hi, my name is John Odom, and I'm currently the city clerk in Montpelier, Vermont.
[00:08.100 --> 00:12.060]  In that capacity, I'm also the election administrator.
[00:12.300 --> 00:15.380]  And, boy, has this been a year for that.
[00:15.380 --> 00:20.120]  We've got our own statewide primary coming up in about a week and a half.
[00:20.120 --> 00:24.760]  So, even taking a little time to record this is kind of challenging.
[00:25.680 --> 00:30.060]  I'm also a certified ethical hacker.
[00:30.060 --> 00:37.900]  I've been in charge of a couple networks and been a database administrator for various non-profits.
[00:37.980 --> 00:45.100]  So, I tend to have a little more hands-on knowledge than most of my colleagues in the industry,
[00:45.100 --> 00:53.220]  but not as much as you might think, because my life's a little busy and I don't get to practice this stuff very much.
[00:53.220 --> 01:02.480]  Anyways, I want to bring something to folks who participate in the Voting Village's attention.
[01:02.480 --> 01:08.060]  And it's not something that has been ignored, but I think it's something that deserves a little more attention.
[01:09.220 --> 01:15.320]  To make the point about how concerned I am, I'm going to tell you a little story.
[01:16.020 --> 01:21.560]  And this is not exactly on topic, but I want to use it to make a point.
[01:21.560 --> 01:26.560]  Several years back in Memphis, and some of you may have heard this story,
[01:27.340 --> 01:33.260]  there was a local election, the mayor was being elected, various local officials,
[01:33.260 --> 01:40.580]  and one clever person decided to compare the turnout from the tape,
[01:40.580 --> 01:47.320]  and most tabulators generate some sort of tape, some sort of physical record of the time listing the votes,
[01:47.320 --> 01:53.600]  and compare that number with what was reported through the GEMS system.
[01:53.600 --> 02:00.620]  And I know also a lot of folks who've been participating in Voting Village share some concerns about that system.
[02:01.380 --> 02:10.430]  Well, the numbers did not add up. According to the tape, 546 people in this particular precinct had voted,
[02:11.670 --> 02:17.310]  according to the tape, and the system only showed 330.
[02:18.010 --> 02:22.190]  They looked at this, they looked at other precincts, they found the same problem,
[02:22.190 --> 02:27.550]  especially in districts with heavy minority populations.
[02:29.010 --> 02:36.750]  Big problem, it's the problem we talk about at DEFCON, but I want to present another scenario to you.
[02:36.750 --> 02:45.070]  Consider this happening on a statewide level, not district by district, not precinct by precinct,
[02:45.070 --> 02:52.830]  not through any one individual network of voting machines, but an entire state.
[02:53.730 --> 03:01.610]  There are statewide systems that manage databases. This is mandated by the Help America Vote Act,
[03:01.610 --> 03:08.370]  which came in the wake of the 2000 presidential election voting debacle.
[03:08.370 --> 03:15.330]  You know, the hanging chads, the numbers that didn't add up, and it all went to the courts and it went to the Supreme Court.
[03:15.790 --> 03:26.830]  After that, there was a bipartisan group that got together, federally mandated, and came up with several recommendations.
[03:26.830 --> 03:33.850]  Now, generally, they were very good recommendations. I don't want to disrespect HAVA at all.
[03:33.850 --> 03:46.670]  One of the recommendations, understandably, was that states should be working on their voter rolls through one centralized system,
[03:46.670 --> 03:54.670]  one centralized statewide database that would contain all the voter registration information.
[03:54.670 --> 04:04.810]  But obviously, you can see where I'm going with this. There are concerns about, or we have to be concerned, about the security of these systems.
[04:04.810 --> 04:12.550]  So these statewide systems don't all necessarily just hold the voter registration information.
[04:12.550 --> 04:18.850]  A lot of them, including in my home state of Vermont, are actually election management systems.
[04:19.750 --> 04:28.150]  Election administrators will report their information for election night reporting.
[04:28.750 --> 04:39.750]  Sometimes we will work directly into these systems to manage it, to create our reports, to create our elections and local elections, and manage them directly out of that.
[04:39.750 --> 04:47.710]  So there's a lot going on with these systems. They are very important, and local administrators have come to really depend on them.
[04:47.710 --> 04:55.850]  Well, how are they doing? Could be better. I want to talk about the famous Mueller Report.
[04:55.930 --> 05:01.830]  Now, tucked away in that is this little gem that I'm going to read here, part of it.
[05:01.870 --> 05:06.710]  It says, in addition to targeting individuals involved in the Clinton campaign,
[05:07.550 --> 05:13.830]  Mueller's operation also targeted individuals and entities involved in the administration of the elections.
[05:13.830 --> 05:24.550]  Victims included U.S. state and local entities, such as state boards of elections, secretaries of state, and county governments, as well as individuals that work for the entities.
[05:24.610 --> 05:37.570]  They also targeted private technology firms responsible for manufacturing and administering election-related software and hardware, such as voter registration software and electronic polling stations.
[05:37.570 --> 05:53.690]  Now, here's the scary part. The report says that foreign actors targeted state and local databases of registered voters using a technique known as SQL injection,
[05:53.690 --> 05:59.110]  by which malicious code was sent to the state or local website in order to run commands.
[05:59.110 --> 06:12.910]  In one instance, in approximately June of 2016, the working group was able to compromise the computer network of the Illinois State Board of Elections by exploiting a vulnerability,
[06:12.910 --> 06:22.770]  presumably a SQL injection-related vulnerability. This gave them access to a database containing information on millions of registered Illinois voters.
[06:22.770 --> 06:31.010]  The group extracted data related to thousands of U.S. voters before the malicious activity was identified.
[06:31.790 --> 06:43.450]  Alright, so beyond just the obvious scary here, you know, okay, a lot of you folks will know that code injection is a very big deal.
[06:43.450 --> 06:57.730]  Code injection is, you know, it's where most of the hacks come from these days. But SQL? SQL injection is something we have been aware of for many years.
[06:57.990 --> 07:07.170]  We know how to harden against it. So my question is, why wasn't it already hardened against it?
[07:07.170 --> 07:21.510]  SQL injection is very easy. One line fed through to a database from a simple login screen can get you in. We know input validation is the solution. So where the hell was the input validation?
[07:22.890 --> 07:35.870]  What that says to me is, and you, again, to refer to Voting Village in the last few years, what's gotten a lot of attention was the simulation of the statewide voter database.
[07:35.870 --> 07:46.070]  It's got national coverage that kids could sit down at this simulation and they could hack right into our dummy statewide voter registration system.
[07:46.070 --> 07:55.830]  Well, of course, the pushback and all the yelling and hollering from the secretaries of state were that this was a phony simulation.
[07:55.830 --> 08:01.950]  That their systems are actually far more secure. Somehow this was set up to be hacked to make their point.
[08:01.950 --> 08:17.170]  Well, if SQL injection is a way to get into this stuff, I would argue that those systems, those dummy systems we made up, maybe were not loose and accessible enough.
[08:17.170 --> 08:25.370]  So, all right, so let's talk about HAVA, the Help America Vote Act.
[08:26.630 --> 08:29.070]  And I'm going to read a little bit from it.
[08:29.070 --> 08:47.150]  Part of the mandate is each state acting through the chief state election official shall implement in a uniform and nondiscriminatory manner a single uniform official centralized interactive computerized statewide voter registration list defined, maintained and administered at the state level.
[08:47.150 --> 08:56.830]  So states have no choice but to do this. And again, populations, what they are, it's completely understandable.
[08:56.990 --> 09:02.650]  So what do states do? Well, several do in-house development.
[09:03.730 --> 09:16.530]  In Vermont, we used to, our first database, our first election management system out of the box, out of HAVA was an internet facing FoxPro application.
[09:17.190 --> 09:20.170]  It was pretty crude.
[09:20.770 --> 09:31.630]  But these days, and other states currently are still doing in-house solutions, states like Colorado, Illinois, Kentucky.
[09:31.630 --> 09:35.650]  You could put together something pretty nice if you knew what you were doing.
[09:36.990 --> 09:42.450]  Obviously, then the networks they sit on, the municipal networks, are potentially vulnerable too.
[09:42.470 --> 09:46.030]  But if you can get in by SQL injection, why bother?
[09:46.730 --> 09:52.410]  Okay, but more and more often, you see these states using vendors.
[09:52.410 --> 10:04.890]  And these are vendors, you know, it's like any niche application, any niche market, you're going to get niche vendors who pop up specifically to serve that market.
[10:07.010 --> 10:13.170]  So before this, we had somebody call around. I wanted to know what states used what.
[10:13.170 --> 10:18.650]  How many of them used one vendor versus another? How many of them were designing in-house?
[10:18.650 --> 10:26.230]  I don't know if I can really say this, but word got out that we were calling around and there were people who were less than thrilled.
[10:28.630 --> 10:34.090]  And defensiveness in public systems should really make us all uncomfortable.
[10:34.090 --> 10:43.370]  Now, I want to look at one particular vendor right now, because I have a little more firsthand familiarity with it, called PCC.
[10:44.190 --> 10:50.530]  Now, here's a list from their website of their current clients.
[10:51.130 --> 11:03.610]  Okay, now factoring out for the consulting only options here, that's 15 states doing database management in election application hosting for voter registration, election night reporting.
[11:04.090 --> 11:08.990]  So who is PCC? Well, this is part of the problem.
[11:08.990 --> 11:17.470]  Who knows? Go to PCC's website and no staff is listed. Only board officers, not even the whole board.
[11:17.730 --> 11:29.670]  Now, I didn't do research on people who did show up. I probably should have, I could have, but I didn't. I don't want to knock them without any basis or unnecessarily then.
[11:30.810 --> 11:39.430]  And, you know, they seem to be perfectly reputable people. I didn't see any, the one I did look at, I didn't see any obvious big political connections.
[11:40.650 --> 11:53.570]  CEO Tom Ambergy is a big, was a big shot at Central Square Technology, for example, and they were recently at a major hack, a Magecart attack.
[11:53.670 --> 11:57.750]  Now, you know, I don't want to beat them up too much for a Magecart attack. They're good.
[11:57.750 --> 12:04.210]  But Magecart attacks generally use JavaScript injections. So it's something that could be hardened for.
[12:04.370 --> 12:11.610]  And with election systems, there's just no margin for error. You've got to be ahead of these games.
[12:11.610 --> 12:17.310]  So I wouldn't say that was a big concern of mine, but it does raise my eyebrow a little bit.
[12:18.690 --> 12:35.150]  But let's look at some of these proposals that PCC or organizations like PCC have put forward to the states to try to get their business.
[12:35.150 --> 12:42.730]  I want to show you the one from Delaware and just pieces of it. It's, of course, very, very long.
[12:42.730 --> 12:55.130]  But I'm going to show you here a typical page from the publicly posted proposal from PCC to run their election systems.
[12:58.160 --> 13:05.740]  OK, when you look at this, this is what you'll see. Not much.
[13:07.080 --> 13:17.380]  I, you know, I didn't do the measurement and everything, but from my glance, I would say at the most about 20 percent of this entire proposal is visible.
[13:17.380 --> 13:25.140]  So that's me being generous. Now, of course, I understand companies have proprietary information.
[13:25.140 --> 13:30.640]  They have proprietary stuff that's standard for any RFP. You expect that.
[13:30.640 --> 13:40.100]  But come on. Why even post it at all? I mean, this is something made available to the public, you know, public records.
[13:40.280 --> 13:47.120]  But it's not. I mean, it's it's it's almost a joke. If I didn't know better, I'd say it was almost passive aggressive.
[13:47.480 --> 13:54.980]  But what bothers me the most in terms of the redactions is all the staff is redacted. And this is typical.
[13:54.980 --> 13:59.620]  So just like the website, we don't know who's working on this.
[13:59.620 --> 14:04.300]  And that bothers me a lot because people have their own interests.
[14:04.300 --> 14:09.720]  They come from backgrounds, partisan backgrounds, nonprofit backgrounds.
[14:09.720 --> 14:23.140]  I think it's reasonable. And I don't think it necessarily, you know, reveals any particular corporate secrets that we could have some idea who the people are doing this stuff,
[14:23.140 --> 14:27.580]  either in an individual state or even at the company proper.
[14:28.400 --> 14:36.920]  Now, financials are also redacted. I know that's a thing that's very standard, but I would argue that it shouldn't be.
[14:37.060 --> 14:45.540]  I think our right to know trumps any embarrassment or discomfort of big companies.
[14:45.540 --> 14:50.240]  And publicly, we might not want one that's on the edge of bankruptcy.
[14:50.240 --> 14:54.280]  And we might want to see that. So so here is the problem.
[14:54.280 --> 15:01.240]  There are very few companies doing this. And they are opaque.
[15:01.240 --> 15:08.500]  We don't know who they are. And that's basically it. We don't know who they are. And that's scary.
[15:08.500 --> 15:14.520]  That's very, very scary, at least to me. And it does matter.
[15:14.520 --> 15:24.980]  In Georgia, they had a recent problem, a debacle involving their voter rolls, involving the voter registration.
[15:24.980 --> 15:28.180]  Now, this wasn't exactly what I'm talking about.
[15:28.180 --> 15:36.500]  But it makes the point about how badly you can screw up an election simply by screwing up voter rolls.
[15:36.500 --> 15:39.760]  You can disenfranchise people in a big election crush.
[15:39.760 --> 15:45.780]  They're just not going to get to vote or they're going to have to fill out an enormous amount of provisional ballots,
[15:45.780 --> 15:52.200]  which honestly might not necessarily get counted the way they should be.
[15:52.240 --> 15:59.760]  Now, during a court case involving this whole debacle, a lot of insecurities,
[15:59.860 --> 16:06.380]  a lot of vulnerabilities in the PCC system was was brought to the attention of the court.
[16:06.380 --> 16:13.520]  After that, Georgia decided to pull back. Their contract ran out and they decided to pull it back in-house.
[16:13.520 --> 16:20.200]  So that's a pretty unusual step to take. And it shows you just how concerning those vulnerabilities were.
[16:20.980 --> 16:24.980]  Now, you know, we've got our public officials doing this.
[16:24.980 --> 16:31.700]  Can we count on our public officials to be straight with us about this stuff if there's a problem?
[16:31.700 --> 16:40.480]  Well, obviously not. And again, I don't mean to knock secretaries of states, but they have their own interest.
[16:40.480 --> 16:46.620]  They have an interest in getting reelected, and that means they have interest in looking competent.
[16:46.980 --> 16:52.900]  Now, some of them like to talk about internal security a lot. You know, we've upgraded this to make it better.
[16:52.900 --> 16:55.460]  We've got better voting machines to make this better.
[16:55.460 --> 17:06.160]  We're doing our due diligence within the sphere that we control in order to do a better job and get reelected.
[17:06.160 --> 17:10.540]  They don't like to talk about the potential for things outside.
[17:10.820 --> 17:17.000]  And that means they don't necessarily like to talk about the walls that they've built that they're responsible for
[17:17.000 --> 17:29.140]  that are, you know, the dividing the firewall, pardon the expression, between the voters and the outside world where you could have malicious actors.
[17:29.140 --> 17:32.900]  And again, with the Mueller report, we're talking about advanced persistent threats.
[17:32.900 --> 17:37.040]  We're talking about state actors, but not necessarily.
[17:39.520 --> 17:46.480]  So secretaries of state have a vested interest in saying everything's rosy and everything's wonderful.
[17:46.480 --> 17:49.260]  So that, that is a problem.
[17:50.020 --> 17:57.220]  So let's look at some of the other systems. I've been picking on PCC, but there are other systems out there.
[17:58.700 --> 18:09.060]  And folks might recognize, Voting Village might recognize one of the other major, probably the other major election management system that's out there.
[18:09.180 --> 18:11.780]  It's from ES&S.
[18:12.420 --> 18:20.500]  ES&S are our old friends. For years, Voting Village has been hacking their machines.
[18:20.620 --> 18:25.520]  And they, more than any of their companies, have been the most belligerent.
[18:26.240 --> 18:37.160]  Last year, I believe it was, they actually had folks sort of roaming about trying to make people uncomfortable about hacking, suggesting they shouldn't.
[18:37.160 --> 18:42.760]  These were the last folks to come around and say that Voting Village had a point.
[18:43.120 --> 18:46.860]  And it was only after so much coverage. Again, I think it was last year.
[18:46.860 --> 18:53.240]  These folks are not good partners. They are not reliable partners in our experience.
[18:53.240 --> 19:00.100]  I don't want to get sued for slander here, but in my opinion, based on what we've seen, these are not good partners.
[19:00.100 --> 19:16.340]  And we will remember how quickly the National Association of Secretaries of State last year was right there to defend them on their own terms, on ES&S's terms, and in some language that looked a little bit much like their own words sometimes.
[19:17.140 --> 19:20.120]  So, scary. Scary stuff.
[19:20.120 --> 19:23.240]  And are these things we can test in Voting Village?
[19:23.240 --> 19:26.040]  The way we take apart the voting machines?
[19:26.040 --> 19:27.920]  Of course not. Of course not.
[19:27.920 --> 19:35.000]  We can make our own, you know, dummy systems like we have, and we should, and there's a lot to be made there.
[19:35.000 --> 19:38.940]  But we can't go and test these systems. It's hacking. We can't hack, right?
[19:41.520 --> 19:45.420]  So, I've thrown a bunch of terrible stuff at you here.
[19:46.460 --> 19:51.800]  The question is, what do we need? Do I have any solutions here?
[19:51.800 --> 19:58.680]  Well, first of all, transparency. Transparency, transparency, transparency.
[19:58.680 --> 20:04.060]  We should know who these people are. We should know who runs them, what their interests are.
[20:04.500 --> 20:07.860]  We should know what their background are.
[20:07.860 --> 20:16.380]  We should know, we should need to know whether these folks even have the competence to do what they claim to do.
[20:16.380 --> 20:21.540]  And I'm going to talk a little bit about the Iowa debacle,
[20:21.540 --> 20:27.940]  where the, during the caucuses, or the primary caucuses this year,
[20:27.940 --> 20:33.660]  the Democratic Party was using these little specially designed, custom designed apps, mobile apps,
[20:33.660 --> 20:37.220]  to report the results of the caucuses to a central place.
[20:37.740 --> 20:42.940]  You all probably heard about this. They were a disaster. They were a disaster.
[20:42.940 --> 20:48.820]  It took a very long time to sort of rebuild the mess that they created,
[20:48.820 --> 20:52.840]  and actually generate a final voting tally.
[20:52.840 --> 20:55.540]  It was a big embarrassment to the Democratic Party.
[20:55.540 --> 20:59.980]  They were going to be using the same systems in Nevada, and they pulled that out.
[21:02.200 --> 21:10.040]  Now, what I would say, the biggest problem, conceptually, with that application,
[21:10.040 --> 21:13.360]  was that it was made by, and you see this a lot,
[21:13.360 --> 21:17.880]  made by folks in the industry who made a lot of personal connections.
[21:17.880 --> 21:21.400]  You know, these were folks who had worked for the Democratic Party, done IT stuff,
[21:21.400 --> 21:28.240]  and they decided to go out on their own, and they made a crappy product.
[21:28.240 --> 21:32.300]  But the crappy product was bought up because, oh, we know these people.
[21:32.300 --> 21:37.680]  These people are in our industry. They're in our world. We know them. We trust them.
[21:38.020 --> 21:45.020]  So, I don't know if the same thing isn't going on with some of these voting applications.
[21:45.020 --> 21:51.120]  PCC, who knows who ES&S hired? That is a real, real problem in this industry.
[21:51.280 --> 21:56.400]  So, we need to know who's doing it, because we need to know if they're competent.
[21:56.400 --> 22:02.420]  If they're reaching out for the best people, or if they're just reaching out for people who are connected with the company.
[22:03.060 --> 22:07.100]  Which gets us back to another point. This needs to be opened up.
[22:07.100 --> 22:15.660]  If we've got one, or two, or three companies doing this, that gives those one, or two, or three companies a lot of power.
[22:15.660 --> 22:20.620]  We need to have more genuine RFPs get this out there.
[22:20.620 --> 22:28.360]  I'm not saying there are angelic companies out there, but mixing it up a little would help.
[22:29.240 --> 22:32.340]  Now, second, we've got to test this stuff.
[22:32.340 --> 22:40.580]  I'm sure the Secretaries of State do pen tests on their systems, but it sure didn't help for 2016.
[22:40.680 --> 22:45.260]  I don't know how a pen test misses a SQL injection attack.
[22:45.520 --> 22:48.160]  There are pen tests, and there are pen tests.
[22:48.160 --> 22:55.040]  And again, the Secretaries of State have a vested interest in not finding vulnerabilities.
[22:55.320 --> 23:00.720]  So, and I've seen some of this, the pen tests tend to be minimal.
[23:00.720 --> 23:03.700]  So, we talk about standards for voting machines.
[23:03.700 --> 23:08.900]  We should have standards for these systems, and reports should be publicly available.
[23:08.900 --> 23:11.840]  We need standards for penetration testing.
[23:11.840 --> 23:18.280]  And that includes testing for social engineering all the way down to the user level.
[23:18.280 --> 23:27.680]  All the way down to the level of the election administrator who, you know, has their own account and talks to this database system.
[23:27.700 --> 23:34.200]  A thorough pen test is going to include tests for social engineering, and you don't generally see that.
[23:34.200 --> 23:39.300]  Especially when you consider any kind of code injection.
[23:39.380 --> 23:42.820]  Notwithstanding, the biggest problem will always be malware.
[23:43.220 --> 23:45.080]  It will always be malware.
[23:45.940 --> 23:48.460]  You can't really audit these systems.
[23:48.480 --> 23:52.400]  So, we need those standards and, again, transparencies and transparency.
[23:53.720 --> 23:56.440]  Yeah, you have to redact most of a pen test.
[23:56.440 --> 23:58.000]  Sure, and that just makes sense.
[23:58.000 --> 24:05.380]  But we could at least be able to see the executive summary of these pen tests as a public document.
[24:05.380 --> 24:09.020]  So, I would argue standards. I would argue, again, transparency.
[24:09.020 --> 24:12.140]  Those are the big two words. Standards, transparency.
[24:12.920 --> 24:14.840]  That gets us a long way.
[24:15.200 --> 24:19.620]  Now, I cannot stress how much of a problem this is.
[24:19.700 --> 24:25.780]  You know, if we're talking about voting machines and systems, which we love to talk about and we need to talk about.
[24:25.780 --> 24:32.000]  A presidential election on those terms would be hard to tank just by going after voting machines.
[24:32.000 --> 24:34.560]  But not these systems.
[24:35.160 --> 24:37.440]  There may be thousands.
[24:37.580 --> 24:44.040]  I think 7,000 is what I read. Localized voting machine tabulation systems.
[24:44.960 --> 24:48.300]  You know, that's a lot to get into and hack, although not for a local election.
[24:48.300 --> 24:52.680]  And local elections are every bit as important as national elections. It's all democracy.
[24:53.060 --> 24:54.920]  Although, again, not impossible.
[24:54.920 --> 25:04.440]  But when you're talking about these online databases and these internet-facing user election management systems,
[25:04.440 --> 25:10.940]  we go from 7,000 targets down to 50. 50 targets.
[25:11.020 --> 25:14.680]  That's a lot more appealing. It's a lot more dangerous.
[25:14.680 --> 25:17.580]  And these systems interact.
[25:18.980 --> 25:26.760]  First of all, most states, you're going to see some kind of connection or some kind of ties to the DMVs, to the Department of Motor Vehicles.
[25:26.760 --> 25:31.980]  You know, we always have to check off for, do I want to be registered to vote too?
[25:31.980 --> 25:36.880]  There are states like Vermont, I'm proud to say, that have automatic voter registration.
[25:37.040 --> 25:39.980]  So those systems have to talk to each other some ways.
[25:39.980 --> 25:43.020]  There are safe ways to do it. There are unsafe ways to do it.
[25:43.040 --> 25:46.300]  We don't know, again, how they're doing it.
[25:47.520 --> 25:52.640]  Tax departments. Some states even connect to their tax departments.
[25:52.700 --> 26:01.800]  So, obviously, any big extensive network-to-network, they're going to be as strong as their weakest links.
[26:02.300 --> 26:07.980]  And those weakest links could be in the statewide networks talking to each other.
[26:07.980 --> 26:11.500]  The weakest links, more often than not, are the users.
[26:11.500 --> 26:22.260]  In New England, you can have election administrators running jurisdictions of as few as 70 people.
[26:22.260 --> 26:32.580]  They don't have a lot of good equipment, and they don't necessarily have a lot of sophistication in how to do proper hygiene,
[26:32.580 --> 26:40.660]  guard against social engineering, against spear phishing.
[26:40.660 --> 26:46.100]  I mean, if I were somebody, I'd take aim at one of those folks, and I'd go right after them.
[26:46.120 --> 26:52.200]  There's also ERIC, which is something I don't know about.
[26:52.480 --> 26:57.440]  ERIC is a statewide system, which now covers about half of the states.
[26:57.440 --> 27:07.480]  I think it's roughly 25, with more looking at it, whereby states interact their databases so they can track cross-state registrations.
[27:07.480 --> 27:18.820]  As it is, it's been a challenge for those states to take someone off a roll in one state because they registered in another state.
[27:18.820 --> 27:28.980]  That's a challenge. It's a weakness that a lot of folks have made a lot of fuss about, and honestly, they probably should.
[27:28.980 --> 27:36.060]  That stuff has been a matter of sending a piece of paper or an email from one secretary of state's office to the other.
[27:36.860 --> 27:40.940]  So, obviously, you're going to have systems like ERIC popping up.
[27:40.940 --> 27:53.060]  Now, my understanding, which is limited, is that in ERIC, you're not having a situation where the statewide databases are talking directly to each other, which is great.
[27:53.060 --> 28:02.520]  But, obviously, again, there is the malware issue. Malware can ride along with all kinds of things.
[28:02.520 --> 28:08.700]  And at any given time, a third or more of the malware out there in the wild could be zero-day.
[28:08.700 --> 28:17.220]  So, you know, it's the same problem we have with antivirus systems. They can only be so up-to-date. They can only be so current.
[28:18.820 --> 28:24.760]  So, anyway, I'm not going to say, I hope I didn't scare you. I hope I did. That's why I'm here.
[28:24.760 --> 28:32.840]  I think that's why a lot of us are here, are to scare people into action and to scare people into making things better.
[28:33.280 --> 28:39.720]  Again, I'm not trying to knock anybody down. I'm just trying to draw a lot of attention to this problem.
[28:39.720 --> 28:48.800]  And this is a problem we could go into a lot more technical detail on, and, you know, I could talk for, you know, an hour or two if I wanted to.
[28:48.800 --> 28:57.840]  But I want to keep this accessible. I know for the election administrators who are watching this, and also I only have about 20 or 30 minutes to do it.
[28:57.840 --> 29:03.200]  But it's a conversation I think we need to have a lot more of.
[29:03.320 --> 29:11.220]  Thanks. Thanks very much for listening. Thanks for Voting Village for having me, and hopefully I'll see you next year, maybe even in person.
